Added back old ssphp login theme

sshguard doesn't actually work as it currently stands, also the builtin
PerSourcePenalty functionality in SSH is more aggressive than sshguard
is able to catch anyway. It might've been reasonable if we were using it
for anything other than SSH, but it doesn't seem like we are.

base/default.nix

@@ -10,10 +10,12 @@
     (fp /users)
     (fp /modules/snakeoil-certs.nix)
 
+    ./flake-input-exporter.nix
     ./networking.nix
     ./nix.nix
+    ./programs.nix
+    ./sops.nix
     ./vm.nix
-    ./flake-input-exporter.nix
 
     ./services/acme.nix
     ./services/auto-upgrade.nix
@@ -40,6 +42,9 @@
   boot.tmp.cleanOnBoot = lib.mkDefault true;
   boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
 
+  boot.loader.systemd-boot.enable = lib.mkDefault true;
+  boot.loader.efi.canTouchEfiVariables = lib.mkDefault true;
+
   time.timeZone = "Europe/Oslo";
 
   i18n.defaultLocale = "en_US.UTF-8";
@@ -48,22 +53,8 @@
     keyMap = "no";
   };
 
-  environment.systemPackages = with pkgs; [
-    file
-    git
-    gnupg
-    htop
-    nano
-    net-tools
-    ripgrep
-    rsync
-    screen
-    tmux
-    vim
-    wget
-
-    kitty.terminfo
-  ];
+  # Don't install the /lib/ld-linux.so.2 stub
+  environment.ldso32 = null;
 
   # .bash_profile already works, but lets also use .bashrc like literally every other distro
   # https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
@@ -77,8 +68,6 @@
     fi
   '';
 
-  programs.zsh.enable = true;
-
   # security.lockKernelModules = true;
   security.protectKernelImage = true;
   security.sudo.execWheelOnly = true;
@@ -86,6 +75,14 @@
     Defaults lecture = never
   '';
 
+  # These are servers, sleep is for the weak
+  systemd.sleep.extraConfig = lib.mkDefault ''
+    AllowSuspend=no
+    AllowHibernation=no
+  '';
+
+  users.mutableUsers = lib.mkDefault false;
+
   users.groups."drift".name = "drift";
 
   # Trusted users on the nix builder machines

base/nix.nix

@@ -37,4 +37,9 @@
       "unstable=${inputs.nixpkgs-unstable}"
     ];
   };
+
+  # Make builds to be more likely killed than important services.
+  # 100 is the default for user slices and 500 is systemd-coredumpd@
+  # We rather want a build to be killed than our precious user sessions as builds can be easily restarted.
+  systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = lib.mkDefault 250;
 }

base/programs.nix

@@ -0,0 +1,60 @@
+{ pkgs, lib, ... }:
+{
+  # We don't need fonts on headless machines
+  fonts.fontconfig.enable = lib.mkDefault false;
+
+  # Extra packags for better terminal emulator compatibility in SSH sessions
+  environment.enableAllTerminfo = true;
+
+  environment.systemPackages = with pkgs; [
+    # Debug dns outside resolvectl
+    dig
+
+    # Debug and find files
+    file
+
+    # Check computer specs
+    lshw
+
+    # Scan for open ports with netstat
+    net-tools
+
+    # Grep for files quickly
+    ripgrep
+
+    # Copy files over the network
+    rsync
+
+    # Access various state, often in /var/lib
+    sqlite-interactive
+
+    # Debug software which won't debug itself
+    strace
+
+    # Download files from the internet
+    wget
+  ];
+
+  # Clone/push nix config and friends
+  programs.git.enable = true;
+
+  # Gitea gpg, oysteikt sops, etc.
+  programs.gnupg.agent.enable = true;
+
+  # Monitor the wellbeing of the machines
+  programs.htop.enable = true;
+
+  # Keep sessions running during work over SSH
+  programs.tmux.enable = true;
+
+  # Same reasoning as tmux
+  programs.screen.enable = true;
+
+  # Edit files on the system without resorting to joe(1)
+  programs.nano.enable = true;
+  # Same reasoning as nano
+  programs.vim.enable = true;
+
+  # Some people like this shell for some reason
+  programs.zsh.enable = true;
+}

base/services/nginx.nix

@@ -39,7 +39,8 @@
     SystemCallFilter = lib.mkForce null;
   };
 
-  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
+  services.nginx.virtualHosts = lib.mkIf config.services.nginx.enable {
+    "_" = {
       listen = [
         {
           addr = "0.0.0.0";
@@ -64,4 +65,12 @@
       addSSL = true;
       extraConfig = "return 444;";
     };
+
+    ${config.networking.fqdn} = {
+      sslCertificate = lib.mkDefault "/etc/certs/nginx.crt";
+      sslCertificateKey = lib.mkDefault "/etc/certs/nginx.key";
+      addSSL = lib.mkDefault true;
+      extraConfig = lib.mkDefault "return 444;";
+    };
+  };
 }

base/services/smartd.nix

@@ -1,7 +1,9 @@
 { config, pkgs, lib, ... }:
 {
   services.smartd = {
-    enable = lib.mkDefault true;
+    # NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the
+    #       hosts with disk passthrough.
+    enable = lib.mkDefault (!config.services.qemuGuest.enable);
     notifications = {
       mail = {
         enable = true;

base/sops.nix

@@ -0,0 +1,12 @@
+{ config, fp, lib, ... }:
+{
+  sops.defaultSopsFile = let
+    secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
+  in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
+
+  sops.age = lib.mkIf (config.sops.defaultSopsFile != null) {
+    sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
+    keyFile = "/var/lib/sops-nix/key.txt";
+    generateKey = true;
+  };
+}

flake.lock

@@ -235,11 +235,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768068512,
-        "narHash": "sha256-pH5wkcNOiXy4MBjDTe6A1gml+7m+ULC3lYMBPMqdS1w=",
+        "lastModified": 1768955766,
+        "narHash": "sha256-V9ns1OII7sWSbIDwPkiqmJ3Xu/bHgQzj+asgH9cTpOo=",
         "owner": "oddlama",
         "repo": "nix-topology",
-        "rev": "4367a2093c5ff74fc478466aebf41d47ce0cacb4",
+        "rev": "71f27de56a03f6d8a1a72cf4d0dfd780bcc075bc",
         "type": "github"
       },
       "original": {
@@ -251,11 +251,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1768555036,
-        "narHash": "sha256-qJTh3xrFsqrXDzUmjPGV0VC70vpsq/YP25Jo6Fh7PTs=",
-        "rev": "1d2851ebcd64734ef057e8c80e05dd5600323792",
+        "lastModified": 1768877948,
+        "narHash": "sha256-Bq9Hd6DWCBaZ2GkwvJCWGnpGOchaD6RWPSCFxmSmupw=",
+        "rev": "43b2e61c9d09cf6c1c9c192fe6da08accc9bfb1d",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4104.1d2851ebcd64/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4368.43b2e61c9d09/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
@@ -279,11 +279,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1768553552,
-        "narHash": "sha256-YeNMZDAxdQUMLcqZmoc+/WzYrJxTEg6Y7uNALUcF1dE=",
-        "rev": "a6b8b0f0ceb6d4f5da70808e26c68044099460fd",
+        "lastModified": 1768886240,
+        "narHash": "sha256-HUAAI7AF+/Ov1u3Vvjs4DL91zTxMkWLC4xJgQ9QxOUQ=",
+        "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre928681.a6b8b0f0ceb6/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre930839.80e4adbcf899/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
@@ -466,11 +466,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768481291,
-        "narHash": "sha256-NjKtkJraCZEnLHAJxLTI+BfdU//9coAz9p5TqveZwPU=",
+        "lastModified": 1768863606,
+        "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e085e303dfcce21adcb5fec535d65aacb066f101",
+        "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
         "type": "github"
       },
       "original": {

flake.nix

@@ -105,6 +105,9 @@
           } // specialArgs;
 
           modules = [
+            {
+              networking.hostName = lib.mkDefault name;
+            }
             configurationPath
           ] ++ (lib.optionals enableDefaults [
             sops-nix.nixosModules.sops
@@ -275,7 +278,7 @@
 
         bluemap = pkgs.callPackage ./packages/bluemap.nix { };
 
-        out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
+        out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
       }
       //
       # Mediawiki extensions

hosts/bakke/configuration.nix

@@ -6,20 +6,13 @@
       ./filesystems.nix
     ];
 
-  sops.defaultSopsFile = ../../secrets/bakke/bakke.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "bakke";
   networking.hostId = "99609ffc";
   systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
     matchConfig.Name = "enp2s0";
     address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "24.05";
 }

hosts/bekkalokk/configuration.nix

@@ -19,16 +19,6 @@
     ./services/qotd
   ];
 
-  sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "bekkalokk";
-
   systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
     matchConfig.Name = "enp2s0";
     address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -36,7 +26,7 @@
 
   services.btrfs.autoScrub.enable = true;
 
-  # Do not change, even during upgrades.
+  # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "22.11";
 }

hosts/bekkalokk/services/idp-simplesamlphp/config.php

@@ -556,6 +556,7 @@ $config = [
     'module.enable' => [
         'admin' => true,
 	'authpwauth' => true,
+	'themepvv' => true,
     ],
 
 
@@ -858,7 +859,7 @@ $config = [
     /*
      * Which theme directory should be used?
      */
-    'theme.use' => 'default',
+    'theme.use' => 'themepvv:pvv',
 
     /*
      * Set this option to the text you would like to appear at the header of each page. Set to false if you don't want

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -1,8 +1,24 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 let
+  themePvv = pkgs.fetchFromGitea {
+    domain = "git.pvv.ntnu.no";
+    owner = "Drift";
+    repo = "ssp-theme";
+    rev = "bda4314030be5f81aeaf2fb1927aee582f1194d9";
+    hash = "sha256-naNRyPL6PAsZKW2w1Vt9wrHT9inCL/yAFnvpy4glv+c=";
+  };
+
   pwAuthScript = pkgs.writeShellApplication {
     name = "pwauth";
-    runtimeInputs = with pkgs; [ coreutils heimdal ];
+    runtimeInputs = with pkgs; [
+      coreutils
+      heimdal
+    ];
     text = ''
       read -r user1
       user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
@@ -33,7 +49,7 @@ let
 
       "metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
         <?php
-          ${ lib.pipe config.services.idp.sp-remote-metadata [
+          ${lib.pipe config.services.idp.sp-remote-metadata [
             (map (url: ''
               $metadata['${url}'] = [
                 'SingleLogoutService' => [
@@ -85,18 +101,27 @@ let
 
         substituteInPlace "$out" \
           --replace-warn '$SAML_COOKIE_SECURE' 'true' \
-          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
+          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${
+            config.sops.secrets."idp/cookie_salt".path
+          }")' \
           --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
           --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
+          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${
+            config.sops.secrets."idp/admin_password".path
+          }")' \
           --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
           --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
           --replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \
-          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
+          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${
+            config.sops.secrets."idp/postgres_password".path
+          }")' \
           --replace-warn '$CACHE_DIRECTORY' '/var/cache/idp'
       '';
 
       "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
+
+      # PVV theme module (themepvv).
+      "modules/themepvv" = themePvv;
     };
   };
 in
@@ -158,10 +183,12 @@ in
     services.phpfpm.pools.idp = {
       user = "idp";
       group = "idp";
-      settings = let
+      settings =
+        let
           listenUser = config.services.nginx.user;
           listenGroup = config.services.nginx.group;
-      in {
+        in
+        {
           "pm" = "dynamic";
           "pm.max_children" = 32;
           "pm.max_requests" = 500;

hosts/bekkalokk/services/well-known/default.nix

@@ -1,6 +1,12 @@
-{ ... }:
+{ lib, ... }:
 {
-  services.nginx.virtualHosts."www.pvv.ntnu.no".locations = {
+  services.nginx.virtualHosts = lib.genAttrs [
+    "pvv.ntnu.no"
+    "www.pvv.ntnu.no"
+    "pvv.org"
+    "www.pvv.org"
+  ] (_: {
+    locations = {
       "^~ /.well-known/" = {
         alias = (toString ./root) + "/";
       };
@@ -15,4 +21,5 @@
         '';
       };
     };
+  });
 }

hosts/bicep/configuration.nix

@@ -15,16 +15,6 @@
     ./services/matrix
   ];
 
-  sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "bicep";
-
   #systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     #matchConfig.Name = "enp6s0f0";
@@ -36,17 +26,9 @@
     anyInterface = true;
   };
 
-  # There are no smart devices
-  services.smartd.enable = false;
-
-  # we are a vm now
   services.qemuGuest.enable = true;
 
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-  services.sshguard.enable = true;
-
-  # Do not change, even during upgrades.
+  # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "22.11";
 }

hosts/bicep/services/matrix/coturn.nix

@@ -1,13 +1,6 @@
 { config, lib, fp, pkgs, secrets, values, ... }:
 
 {
-  sops.secrets."matrix/synapse/turnconfig" = {
-    sopsFile = fp /secrets/bicep/matrix.yaml;
-    key = "synapse/turnconfig";
-    owner = config.users.users.matrix-synapse.name;
-    group = config.users.users.matrix-synapse.group;
-    restartUnits = [ "coturn.service" ];
-  };
   sops.secrets."matrix/coturn/static-auth-secret" = {
     sopsFile = fp /secrets/bicep/matrix.yaml;
     key = "coturn/static-auth-secret";
@@ -16,9 +9,18 @@
     restartUnits = [ "coturn.service" ];
   };
 
+  sops.templates."matrix-synapse-turnconfig" = {
+    owner = config.users.users.matrix-synapse.name;
+    group = config.users.users.matrix-synapse.group;
+    content = ''
+      turn_shared_secret: ${config.sops.placeholder."matrix/coturn/static-auth-secret"}
+    '';
+    restartUnits = [ "matrix-synapse.target" ];
+  };
+
   services.matrix-synapse-next = {
     extraConfigFiles = [
-      config.sops.secrets."matrix/synapse/turnconfig".path
+      config.sops.templates."matrix-synapse-turnconfig".path
     ];
 
     settings = {

hosts/bicep/services/matrix/default.nix

@@ -1,7 +1,5 @@
 { config, ... }:
-
 {
-
   imports = [
     ./synapse.nix
     ./synapse-admin.nix
@@ -15,7 +13,4 @@
     ./out-of-your-element.nix
     ./hookshot
   ];
-
-
-
 }

hosts/bicep/services/matrix/element.nix

@@ -16,10 +16,10 @@ in {
 
     root = pkgs.element-web.override {
       conf = {
-        default_server_config."m.homeserver" = {
-          base_url = "https://matrix.pvv.ntnu.no";
-          server_name = "pvv.ntnu.no";
-        };
+        # Tries to look up well-known first, else uses bundled config.
+        default_server_name = "matrix.pvv.ntnu.no";
+        default_server_config = config.services.pvv-matrix-well-known.client;
+
         disable_3pid_login = true;
 #        integrations_ui_url = "https://dimension.dodsorf.as/riot";
 #        integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";

hosts/bicep/services/matrix/synapse.nix

@@ -15,11 +15,16 @@ in {
     group = config.users.users.matrix-synapse.group;
   };
 
-  sops.secrets."matrix/synapse/user_registration" = {
+  sops.secrets."matrix/synapse/user_registration/registration_shared_secret" = {
     sopsFile = fp /secrets/bicep/matrix.yaml;
-    key = "synapse/signing_key";
+    key = "synapse/user_registration/registration_shared_secret";
+  };
+  sops.templates."matrix-synapse-user-registration" = {
     owner = config.users.users.matrix-synapse.name;
     group = config.users.users.matrix-synapse.group;
+    content = ''
+      registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
+    '';
   };
 
   services.matrix-synapse-next = {
@@ -83,7 +88,7 @@ in {
       mau_stats_only = true;
 
       enable_registration = false;
-      registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path;
+      registration_shared_secret_path = config.sops.templates."matrix-synapse-user-registration".path;
 
       password_config.enabled = true;
 
@@ -95,6 +100,32 @@ in {
         }
       ];
 
+      experimental_features = {
+        # MSC3266: Room summary API. Used for knocking over federation
+        msc3266_enabled = true;
+        # MSC4222 needed for syncv2 state_after. This allow clients to
+        # correctly track the state of the room.
+        msc4222_enabled = true;
+      };
+
+      # The maximum allowed duration by which sent events can be delayed, as
+      # per MSC4140.
+      max_event_delay_duration = "24h";
+
+      rc_message = {
+        # This needs to match at least e2ee key sharing frequency plus a bit of headroom
+        # Note key sharing events are bursty
+        per_second = 0.5;
+        burst_count = 30;
+      };
+
+      rc_delayed_event_mgmt = {
+        # This needs to match at least the heart-beat frequency plus a bit of headroom
+        # Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s
+        per_second = 1;
+        burst_count = 20;
+      };
+
       trusted_key_servers = [
         { server_name = "matrix.org"; }
         { server_name = "dodsorf.as"; }

hosts/bikkje/configuration.nix

@@ -25,6 +25,7 @@
       ];
 
       networking = {
+        hostName = "bikkje";
         firewall = {
           enable = true;
           # Allow SSH and HTTP and ports for email and irc
@@ -36,9 +37,11 @@
         useHostResolvConf = mkForce false;
       };
 
-      system.stateVersion = "23.11";
       services.resolved.enable = true;
-    };
-  };
 
+      # Don't change (even during upgrades) unless you know what you are doing.
+      # See https://search.nixos.org/options?show=system.stateVersion
+      system.stateVersion = "23.11";
+    };
+  };
 };

hosts/brzeczyszczykiewicz/configuration.nix

@@ -8,28 +8,14 @@
       ./services/grzegorz.nix
     ];
 
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "brzeczyszczykiewicz";
-
   systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
     matchConfig.Name = "eno1";
     address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It's perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
+  fonts.fontconfig.enable = true;
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "23.05";
 }

hosts/georg/configuration.nix

@@ -8,24 +8,11 @@
       (fp /modules/grzegorz.nix)
     ];
 
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "georg";
-
   systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
     matchConfig.Name = "eno1";
     address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-
-
   services.spotifyd = {
     enable = true;
     settings.global = {
@@ -41,15 +28,9 @@
     5353 # spotifyd is its own mDNS service wtf
   ];
 
+  fonts.fontconfig.enable = true;
 
-
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It's perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "23.05";
 }

hosts/gluttony/configuration.nix

@@ -10,16 +10,12 @@
     (fp /base)
   ];
 
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
   systemd.network.enable = lib.mkForce false;
   networking =
     let
       hostConf = values.hosts.gluttony;
     in
     {
-      hostName = "gluttony";
       tempAddresses = "disabled";
       useDHCP = false;
 
@@ -47,5 +43,9 @@
       };
     };
 
-  system.stateVersion = "25.11"; # Don't change unless you know what you are doing.
+  services.qemuGuest.enable = true;
+
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.11";
 }

hosts/ildkule/configuration.nix

@@ -10,11 +10,7 @@
       ./services/journald-remote.nix
     ];
 
-  sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
+  boot.loader.systemd-boot.enable = false;
   boot.loader.grub.device = "/dev/vda";
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
@@ -24,7 +20,6 @@
   networking = let
     hostConf = values.hosts.ildkule;
   in {
-    hostName = "ildkule";
     tempAddresses = "disabled";
     useDHCP = lib.mkForce true;
 
@@ -43,13 +38,9 @@
     };
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # No devices with SMART
-  services.smartd.enable = false;
-
-  system.stateVersion = "23.11"; # Did you read the comment?
+  services.qemuGuest.enable = true;
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "23.11";
 }

hosts/kommode/configuration.nix

@@ -9,16 +9,6 @@
     ./services/nginx.nix
   ];
 
-  sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "kommode"; # Define your hostname.
-
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -26,7 +16,9 @@
 
   services.btrfs.autoScrub.enable = true;
 
-  environment.systemPackages = with pkgs; [];
+  services.qemuGuest.enable = true;
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "24.11";
 }

hosts/lupine/configuration.nix

@@ -9,12 +9,6 @@
   ];
 
   sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
 
   systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
     matchConfig.Name = "enp0s31f6";
@@ -28,7 +22,7 @@
   # There are no smart devices
   services.smartd.enable = false;
 
-  # Do not change, even during upgrades.
+  # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "25.05";
 }

hosts/shark/configuration.nix

@@ -6,33 +6,14 @@
       (fp /base)
     ];
 
-  sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "shark"; # Define your hostname.
-
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It's perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
+  services.qemuGuest.enable = true;
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "23.05";
 }

hosts/skrott/configuration.nix

@@ -1,14 +1,17 @@
-{ config, pkgs, lib, fp, ... }: {
+{ config, pkgs, lib, fp, values, ... }: {
   imports = [
     # ./hardware-configuration.nix
 
     (fp /base)
   ];
 
+  sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
+
   boot = {
     consoleLogLevel = 0;
     enableContainers = false;
     loader.grub.enable = false;
+    loader.systemd-boot.enable = false;
     kernelPackages = pkgs.linuxPackages;
   };
 
@@ -21,13 +24,6 @@
 
   # TODO: can we reduce further?
 
-  system.stateVersion = "25.05";
-
-  sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
   sops.secrets = {
     "dibbler/postgresql/url" = {
       owner = "dibbler";
@@ -42,7 +38,11 @@
     interfaces.eth0 = {
       useDHCP = false;
       ipv4.addresses = [{
-        address = "129.241.210.235";
+        address = values.hosts.skrott.ipv4;
+        prefixLength = 25;
+      }];
+      ipv6.addresses = [{
+        address = values.hosts.skrott.ipv6;
         prefixLength = 25;
       }];
     };
@@ -70,4 +70,8 @@
     wantedBy = [ "getty.target" ]; # to start at boot
     serviceConfig.Restart = "always"; # restart when session is closed
   };
+
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.05";
 }

hosts/temmie/configuration.nix

@@ -6,34 +6,19 @@
     (fp /base)
 
     ./services/nfs-mounts.nix
+    ./services/userweb.nix
   ];
 
-  # sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
-  # sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  # sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  # sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "temmie"; # Define your hostname.
-
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
+  services.nginx.enable = false;
 
-  # List services that you want to enable:
+  services.qemuGuest.enable = true;
 
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It's perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "25.11"; # Did you read the comment?
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.11";
 }

hosts/temmie/services/nfs-mounts.nix

@@ -1,21 +1,60 @@
-{ pkgs, lib, ... }:
-{
-  fileSystems = let
+{ lib, values, ... }:
+let
   # See microbel:/etc/exports
-    shorthandAreas = lib.listToAttrs (map
-      (l: lib.nameValuePair "/run/pvv-home-mounts/${l}" "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}")
-      [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ]);
-  in { }
-  //
-  (lib.mapAttrs (_: device: {
-    inherit device;
-    fsType = "nfs";
-    options = [
+  letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
+in
+{
+  systemd.targets."pvv-homedirs" = {
+    description = "PVV Homedir Partitions";
+  };
+
+  systemd.mounts = map (l: {
+    description = "PVV Homedir Partition ${l}";
+
+    before = [ "remote-fs.target" ];
+    wantedBy = [ "multi-user.target" ];
+    requiredBy = [ "pvv-homedirs.target" ];
+
+    type = "nfs";
+    what = "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}";
+    where = "/run/pvv-home-mounts/${l}";
+
+    options = lib.concatStringsSep "," [
       "nfsvers=3"
-      "noauto"
+
+      # NOTE: this is a bit unfortunate. The address above seems to resolve to IPv6 sometimes,
+      #       and it doesn't seem possible to specify proto=tcp,tcp6, meaning we have to tell
+      #       NFS which exact address to use here, despite it being specified in the `what` attr :\
       "proto=tcp"
-      "x-systemd.automount"
-      "x-systemd.idle-timeout=300"
+      "addr=${values.hosts.microbel.ipv4}"
+      "mountproto=tcp"
+      "mounthost=${values.hosts.microbel.ipv4}"
+      "port=2049"
+
+      # NOTE: this is yet more unfortunate. When enabling locking, it will sometimes complain about connection failed.
+      #       dmesg(1) reveals that it has something to do with registering the lockdv1 RPC service (errno: 111), not
+      #       quite sure how to fix it. Living life on dangerous mode for now.
+      "nolock"
+
+      # Don't wait on every read/write
+      "async"
+
+      # Always keep mounted
+      "noauto"
+
+      # We don't want to update access time constantly
+      "noatime"
+
+      # No SUID/SGID, no special devices
+      "nosuid"
+      "nodev"
+
+      # TODO: are there cgi scripts that modify stuff in peoples homedirs?
+      # "ro"
+      "rw"
+
+      # TODO: can we enable this and still run cgi stuff?
+      # "noexec"
     ];
-  }) shorthandAreas);
+  }) letters;
 }

hosts/temmie/services/userweb.nix

@@ -0,0 +1,29 @@
+{ ... }:
+{
+  services.httpd = {
+    enable = true;
+
+    # extraModules = [];
+
+    # virtualHosts."userweb.pvv.ntnu.no" = {
+    virtualHosts."temmie.pvv.ntnu.no" = {
+
+      forceSSL = true;
+      enableACME = true;
+    };
+  };
+
+  systemd.services.httpd = {
+    after = [ "pvv-homedirs.target" ];
+    requires = [ "pvv-homedirs.target" ];
+
+    serviceConfig = {
+      ProtectHome = "tmpfs";
+      BindPaths = let
+        letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
+      in map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") letters;
+    };
+  };
+
+  # TODO: create phpfpm pools with php environments that contain packages similar to those present on tom
+}

hosts/ustetind/configuration.nix

@@ -7,12 +7,7 @@
     ./services/gitea-runners.nix
   ];
 
-  sops.defaultSopsFile = fp /secrets/ustetind/ustetind.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  networking.hostName = "ustetind";
+  boot.loader.systemd-boot.enable = false;
 
   networking.useHostResolvConf = lib.mkForce false;
 
@@ -39,5 +34,7 @@
     };
   };
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "24.11";
 }

hosts/wenche/configuration.nix

@@ -14,15 +14,9 @@
     "armv7l-linux"
   ];
 
-  sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
+  boot.loader.systemd-boot.enable = false;
   boot.loader.grub.device = "/dev/sda";
 
-  networking.hostName = "wenche"; # Define your hostname.
-
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -36,9 +30,9 @@
     package = config.boot.kernelPackages.nvidiaPackages.production;
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
+  services.qemuGuest.enable = true;
 
-  system.stateVersion = "24.11"; # Did you read the comment?
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "24.11";
 }

modules/grzegorz.nix

@@ -37,9 +37,13 @@ in {
   services.nginx.enable = true;
   services.nginx.virtualHosts = {
     ${config.networking.fqdn} = {
+      # NOTE: this overrides the default config in base/services/nginx.nix
+      addSSL = false;
       forceSSL = true;
       enableACME = true;
+
       kTLS = true;
+
       serverAliases = [
         "${machine}.pvv.org"
       ];

modules/matrix-ooye.nix

@@ -181,6 +181,9 @@ in
           #NoNewPrivileges = true;
           #PrivateDevices = true;
           Restart = "on-failure";
+          RestartSec = "5s";
+          StartLimitIntervalSec = "5s";
+          StartLimitBurst = "5";
           DynamicUser = true;
         };
       };

packages/ooye/generate-lock-patch.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i bash -p bash git gnugrep gnused nodejs_24
+
+GIT_TOPLEVEL=$(git rev-parse --show-toplevel)
+PACKAGE_NIX="$GIT_TOPLEVEL/packages/ooye/package.nix"
+REV="$(grep -oP '(?<=rev = ")[a-z0-9]+(?=")' "$PACKAGE_NIX")"
+
+TMPDIR="$(mktemp -d)"
+
+cleaning() {
+  rm -rf "$TMPDIR"
+}
+
+trap 'cleaning' SIGINT
+
+git clone --depth 1 --revision="$REV" https://git.pvv.ntnu.no/Drift/delete-your-element.git "$TMPDIR/ooye"
+pushd "$TMPDIR/ooye" || exit
+  sed -i 's/\s*"glob@<11.1": "^12"//' package.json
+  git diff --quiet --exit-code package.json && {
+    echo "Sed did't do it's job, please fix" >&2
+    cleaning
+    exit 1
+  }
+
+  rm -rf package-lock.json
+  npm install --package-lock-only
+
+  export GIT_AUTHOR_NAME='Lockinator 9000'
+  export GIT_AUTHOR_EMAIL='locksmith@lockal.local'
+  export GIT_AUTHOR_DATE='Sun, 01 Jan 1984 00:00:00 +0000'
+  export GIT_COMMITTER_NAME="$GIT_AUTHOR_NAME"
+  export GIT_COMMITTER_EMAIL="$GIT_AUTHOR_EMAIL"
+  export GIT_COMMITTER_DATE="$GIT_AUTHOR_DATE"
+
+  git commit -am "package-lock.json: bomp" --no-gpg-sign
+  git format-patch HEAD~
+  mv 0001-package-lock.json-bomp.patch "$GIT_TOPLEVEL/packages/ooye/fix-lockfile.patch"
+  git reset --hard HEAD~
+popd || exit
+cleaning

packages/ooye/package.nix

@@ -2,31 +2,28 @@
   lib,
   fetchFromGitea,
   makeWrapper,
-  nodejs,
+  nodejs_24,
   buildNpmPackage,
-  fetchpatch,
 }:
+let
+  nodejs = nodejs_24;
+in
 buildNpmPackage {
   pname = "delete-your-element";
-  version = "3.3-unstable-2025-12-09";
+  version = "3.3-unstable-2026-01-21";
   src = fetchFromGitea {
     domain = "git.pvv.ntnu.no";
     owner = "Drift";
     repo = "delete-your-element";
-    rev = "1c0c545a024ef7215a1a3483c10acce853f79765";
-    hash = "sha256-ow/PdlHfU7PCwsjJUEzoETzONs1KoKTRMRQ9ADN0tGk=";
+    rev = "04d7872acb933254c0a4703064b2e08de31cfeb4";
+    hash = "sha256-CkKt+8VYjIhNM76c3mTf7X6d4ob8tB2w8T6xYS7+LuY=";
   };
 
-  patches = [
-    (fetchpatch {
-      name = "ooye-fix-package-lock-0001.patch";
-      url = "https://cgit.rory.gay/nix/OOYE-module.git/plain/pl.patch?h=ee126389d997ba14be3fe3ef360ba37b3617a9b2";
-      hash = "sha256-dP6WEHb0KksDraYML+jcR5DftH9BiXvwevUg38ALOrc=";
-    })
-  ];
+  inherit nodejs;
 
-  npmDepsHash = "sha256-OXOyO6LxK/WYYVysSxkol0ilMUZB+osLYUE5DpJlbps=";
-  # npmDepsHash = "sha256-Y+vgp7+7pIDm64AYSs8ltoAiON0EPpJInbmgn3/LkVA=";
+  patches = [ ./fix-lockfile.patch ];
+
+  npmDepsHash = "sha256-tiGXr86x9QNAwhZcxSOox6sP9allyz9QSH3XOZOb3z8=";
   dontNpmBuild = true;
   makeCacheWritable = true;
 

secrets/bicep/matrix.yaml

@@ -1,6 +1,6 @@
 synapse:
-    turnconfig: ENC[AES256_GCM,data:mASRjYa4C9WRow4x0XYRrlCE5LMJUYaId+o62r1qhsyJPa2LzrI=,iv:5vYdubvMDjLS6soiWx2DzkEAATb9NFbSS/Jhuuz1yI8=,tag:wOW07CQMDbOiZNervee/pg==,type:str]
-    user_registration: ENC[AES256_GCM,data:ZDZfEEvyw8pg0WzhrdC8747ed+ZR2ZA8/WypJd/iDkmIy2RmxOeI0sE=,iv:l61mOlvzpCql4fC/eubBSU6px21et2WcpxQ6rFl14iw=,tag:sVDEAa3xipKIi/6isCjWew==,type:str]
+    user_registration:
+        registration_shared_secret: ENC[AES256_GCM,data:Ch0JzTJ7OqZQxr+L,iv:6hSTsBwieRg6oy0feBaqJQaY/AvIUyIlcclzlK0GmVE=,tag:Z55kxXppzmU+YP5JkU0jLw==,type:str]
     signing_key: ENC[AES256_GCM,data:6UpfiRlX9pRM7zhdm7Mc8y8EItLzugWkHSgE0tGpEmudCTa1wc60oNbYfhKDWU81DT/U148pZOoX1A==,iv:UlqCPicPm5eNBz1xBMI3A3Rn4t/GtldNIDdMH5MMnLw=,tag:HHaw6iMjEAv5b9mjHSVpwA==,type:str]
 coturn:
     static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str]
@@ -86,8 +86,8 @@ sops:
             Qnh1djQ0ZDFhRmxsU2g0eHJZeFlkcU0Kj5H/dHrOwSgiZIzpv3nOc7AWeNMofJg7
             OzSVdRry72qPqYU8YLWjAcoP3ddITZnWr53/yYBVmssW/KeyVyPy9A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-21T01:01:35Z"
-    mac: ENC[AES256_GCM,data:1f8RYVjnNs9T3DRFY+CouPUsGmfBRWEOASjB04dd89iIYC6sagk5e4JjqPDpOQjMxbAVnEKa2oX+nFSBa8xF14jqNSadl9xwlKwLJnaBhUb3grJ5d+O8Tcq+0xQ+oqIN+Awm6eaJTesiopRu68MhFQeUZwBUO+83W2YeQgFhz34=,iv:NymjPCr6/osod8liluA6Pbq1XT4KiI/qIS6lx9sM4NQ=,tag:Td3mjPaHUFeD3d/hZ3f1og==,type:str]
+    lastmodified: "2026-01-21T02:03:24Z"
+    mac: ENC[AES256_GCM,data:yVe+78V7zYgYveLFBghKdAeibg97DRafgsRRCZPYkWu8t2iadtD5UqRK0KS4Zcc55ojHJ11otgadaPHQyl8EIzt7Dwlm7ZOVEmmPAYdaweWfnPRdFhDAxcgj8Ejh03LAdLQK8WwlfTF/09Avub2ZUnN0aPwFCen/qD6dYmcGDNk=,iv:y4YE9AqlVVBBtRGoIdfIcNGE4chChBOR0Euy68xkQBA=,tag:/yopCpkvFaEzr2iXxLd3uw==,type:str]
     pgp:
         - created_at: "2026-01-16T06:34:46Z"
           enc: |-

topology/default.nix

@@ -53,7 +53,7 @@ in {
   nodes.ntnu-pvv-router = mkRouter "NTNU PVV Gateway" {
     interfaceGroups = [ ["wan1"] ["eth1"] ];
     connections.eth1 = mkConnection "knutsen" "em1";
-    interfaces.eth1.network = "pvv";
+    interfaces.eth1.network = "ntnu";
   };
 
   nodes.knutsen = mkRouter "knutsen" {
@@ -82,6 +82,8 @@ in {
         (mkConnection "buskerud" "eth1")
         # (mkConnection "knutsen" "eth1")
         (mkConnection "powerpuff-cluster" "eth1")
+        (mkConnection "powerpuff-cluster" "eth2")
+        (mkConnection "powerpuff-cluster" "eth3")
         (mkConnection "lupine-1" "enp0s31f6")
         (mkConnection "lupine-2" "enp0s31f6")
         (mkConnection "lupine-3" "enp0s31f6")
@@ -139,7 +141,7 @@ in {
 
     hardware.info = "Dell PowerEdge R730 x 3";
 
-    interfaceGroups = [ [ "eth1" ] ];
+    interfaceGroups = [ [ "eth1" "eth2" "eth3" ] ];
 
     services = {
       proxmox = {
@@ -167,6 +169,13 @@ in {
     interfaces.ens18.network = "pvv";
   };
 
+  nodes.temmie = {
+    guestType = "proxmox";
+    parent = config.nodes.powerpuff-cluster.id;
+
+    interfaces.ens18.network = "pvv";
+  };
+
   nodes.ustetind = {
     guestType = "proxmox LXC";
     parent = config.nodes.powerpuff-cluster.id;
@@ -219,7 +228,7 @@ in {
         (mkConnection "demiurgen" "eno1")
         (mkConnection "sanctuary" "ethernet_0")
         (mkConnection "torskas" "eth0")
-        (mkConnection "skrott" "eth0")
+        (mkConnection "skrot" "eth0")
         (mkConnection "homeassistant" "eth0")
         (mkConnection "orchid" "eth0")
         (mkConnection "principal" "em0")
@@ -249,6 +258,12 @@ in {
 
     interfaces.ens4.network = "ntnu";
   };
+  nodes.gluttony = {
+    guestType = "openstack";
+    parent = config.nodes.stackit.id;
+
+    interfaces.ens3.network = "ntnu";
+  };
   nodes.wenche = {
     guestType = "openstack";
     parent = config.nodes.stackit.id;

topology/non-nixos-machines.nix

@@ -290,21 +290,6 @@ in {
     };
   };
 
-  nodes.skrott = mkDevice "skrott" {
-    # TODO: the interface name is likely wrong
-    interfaceGroups = [ [ "eth0" ] ];
-    interfaces.eth0 = {
-      # mac = "";
-      addresses = [
-        "129.241.210.235"
-      ];
-      gateways = [
-        values.hosts.gateway
-        values.hosts.gateway6
-      ];
-    };
-  };
-
   nodes.torskas = mkDevice "torskas" {
     deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/arch_linux.svg";
 

topology/service-extractors/postgresql.nix

@@ -6,7 +6,6 @@ in
 {
   config.topology.self.services.postgresql = lib.mkIf cfg.enable {
     name = "PostgreSQL";
-    icon = "${unstablePkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/postgresql.svg";
 
     details.listen.text = lib.mkIf cfg.enableTCPIP "0.0.0.0:${toString cfg.settings.port}";
     details.socket.text = "/run/postgresql/.s.PGSQL.${toString cfg.settings.port}";

values.nix

@@ -69,10 +69,18 @@ in rec {
       ipv4 = pvv-ipv4 223;
       ipv6 = pvv-ipv6 223;
     };
+    microbel = {
+      ipv4 = pvv-ipv4 179;
+      ipv6 = pvv-ipv6 "1:2";
+    };
     ustetind = {
       ipv4 = pvv-ipv4 234;
       ipv6 = pvv-ipv6 234;
     };
+    skrott = {
+      ipv4 = pvv-ipv4 235;
+      ipv6 = pvv-ipv6 235;
+    };
     temmie = {
       ipv4 = pvv-ipv4 167;
       ipv6 = pvv-ipv6 167;